I have a background in IT and computers, but this virus is really stumping me. I have 2 computers, one of them I am on now, the other one has the virus. The other computer has Windows XP too. I noticed Reader_s.exe seems to be launching different .dll and .tmp files that always return with a different name when deleted. Also some of the files associated with the virus are unable to be deleted even in Safe Mode. These files are located in the Windows/system32 folder
The main problem is when the computer is not in safe mode, Opening My Computer or Internet Explorer or clicking the Task Bar causes explorer.exe to crash, and closes those applications.
I've done a lot of looking around at many different websites and I noticed Rorschach helped a few people with this problem such as here: http://www.geekstogo...nd-t258161.html
(I followed along until there was a piece of code for Avenger.exe that was written specifically for that computer.)
The computer got the virus a month ago but up until today the infected computer would restart immediately after loading Windows (Regular and Safe Mode).
I have been able to get into the computer now.
Some things that are happening:
- Internet Explorer and Firefox crash immediately when launched. I am able to go to My Computer in Safe Mode with Networking and access the internet from the address bar
- Most anti-virus websites will display "Page cannot be displayed", so the virus seems to be hiding these pages (for example, avg.com)
- Malwarebytes, HijackThis do not work. When launched the program will close 5 seconds later, and the exe will become corrupted saying "You have insufficient access to this program." I downloaded Inherit.exe and I was able to relaunch these programs, but they still close 5 seconds later.
- Renaming applications does not seem to help at all.
- ComboFix setup becomes corrupted and asks me to re-download the application due to Virut, tried redownloading many times
I also deleted entries from Regedit for the the startup (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [and RunOnce])
System restore also seems to be disabled. I can get the to the "Confirm Restore Point Selection", but clicking next does not do anything even in Safe Mode. I ran a reg fix from http://www.kellys-ko...storeenable.reg to try and fix the system restore problem, but it did not work for me.
Edited by sVs, 04 December 2009 - 02:34 PM.